Canadian IT departments are beginning to figure out their compliance strategies in response to new Canadian Securities Commission regulations, the federal privacy law, the U.S.’s Sarbanes-Oxley Act and other rules binding their enterprises.
Most large companies are affected by at least
some of this legislation. Up to now, many of them have been busy understanding what is required of them and what they need to do to get up to scratch, said Tony Masella, partner in finance and performance management at consulting firm Accenture in Toronto. “”Now they’re trying to figure out well, how do they try to bridge those gaps.””
While U.S. companies must comply with Sarbanes-Oxley requirements this year, non-U.S. companies with stocks listed there have until 2005 and the newer Canadian Securities Commission regulations will not require publicly-traded companies to document their internal controls until either 2005 or 2006, said Doug Wilkinson, enterprise risk services partner at Deloitte Consulting in Toronto. Details of the Canadian rules will likely be clarified this fall, he said.
Many companies are turning to short-term fixes to comply with the new laws quickly, Masella said. That’s fine for now, but smart businesses will have to figure out the ideal answer in the longer term and try to get there, he said. “”They need to figure out how to optimize their organization for this new reality.””
In some cases, complying with new laws and regulations will mean acquiring new technology tools that help meet the requirements.
For instance, Philadelphia-based Longview Solutions sells Khalix, software that consolidates financial information from assorted Enterprise Resource Planning (ERP) systems, spreadsheets and other sources to provide a single authoritative set of figures for an entire organization. “”It replaces all the silos of data that large corporations tend to have,”” said Michelle Wettlaufer, vice-president of finance at Longview, which also sells LRAL, a training package that can be used to ensure policies are published and understood within the organization.
EVault Inc. of Walnut Creek, Calif., has an e-mail archival service, called ProMail, that can help businesses make sure old e-mail messages are readily retrievable should they be needed. George Ho, technology manager at Toronto-based ClaringtonFunds Inc., says the mutual fund management company is evaluating ProMail as a possible way of complying with securities legislation that requires it to be able to produce e-mail messages.
ClaringtonFunds has also looked at some software that might help address privacy requirements of the Personal Information Protection and Electronic Documents Act, Ho said, but “”nothing has really piqued our interest.””
Wilkinson said consulting and auditing firms are offering “”point solutions”” to help their clients comply with new rules, and a number of software firms are adding features to their products to address the requirements. For instance, Waterloo, Ont.-based document management software vendor Opentext Corp. has “”taken their product a long way to turn it into a compliance product,”” said Wilkinson.
Not all businesses need new software to comply with financial legislation, Masella noted. “”If they’ve purchased the leading financial applications in the past I would say two or three years, they probably have the software they need,”” he said. However, he added, not all businesses have implemented the features in their existing software that will bring them into line with new legislation, so they may still have work to do.
Whether they are buying software or tweaking existing applications to meet new requirements, businesses may have to ask themselves who pays for the extra technology or work to comply with new laws. Is this an IT expense? A financial expense? Does it fall under security, with which privacy in particular is often closely associated?
“”I’ve seen a lot of different places for it,”” Masella said. It usually depends, he said, on who is taking responsibility for getting the work done.
Wilkinson said many organizations have set up compliance project teams reporting to the chief financial officer, and associated expenses therefore fall into the CFO’s budget, though IT plays a role.
At ClaringtonFunds, any new tools needed will probably be treated as IT expenses, Ho said. “”Even though it’s governance-related, it’s IT’s initiative to comply with those rules.””
Law firm Border Ladner Gervais is not affected by securities rules, but “”we will have to deal with the impact of the privacy legislation in terms of all of our systems,”” said Joel Alleyne, chief information officer and chief knowledge officer. Alleyne said it is not certain what budget category any associated costs fall into, but the more interesting question is how the legislative requirements affect IT priorities.
Legislative requirements can push at item to the top of the priority list, Alleyne said, which potentially could take attention away from other things.
“”All corporations have choices to make,”” Masella agreed. If they need to spend money on compliance with new legislation, other things that are adequate but lack the latest bells and whistles may be considered good enough for a little longer.
But Michael Murphy, general manager of security software vendor Symantec Canada Corp., said he is not worried that spending on security tools such as antivirus, firewalls and the like will suffer because of the focus on complying with new legislation. Murphy said responsibility for privacy and accountability issues will fall to security specialists in many cases, but “”the security groups and IT groups will be given the appropriate funding to deploy new technology.””
Budget pressures on IT departments have eased somewhat in recent months, Murphy said. While a couple of years ago IT was being asked to do more with less, he said, the economy has rebounded and now IT departments are merely being asked to do more with what they already have.
“”I think over time they’ll be given more money to do much more with incrementally more,”” Murphy said.
Comment: [email protected]
